[wp-trac] [WordPress Trac] #51611: Escape echoing Core functions
WordPress Trac
noreply at wordpress.org
Fri Oct 23 05:32:40 UTC 2020
#51611: Escape echoing Core functions
-------------------------+-----------------------------
Reporter: lolamax | Owner: (none)
Type: enhancement | Status: new
Priority: normal | Milestone: Awaiting Review
Component: Security | Version:
Severity: normal | Keywords:
Focuses: |
-------------------------+-----------------------------
Hi,
Is there a reason, why core functions like the_archive_title() and
the_archive_description() echo output without escaping?
In wp-admin/profile.php the display_name and the
author_meta('description') are stored from user input – which will be
output in archive.php if is_author(), by these functions (e.g. Twenty
Seventeen, Twenty Nineteen) – without escaping.
Wouldn't it be better to escape the output within these functions?
Best regards
Max
--
Ticket URL: <https://core.trac.wordpress.org/ticket/51611>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform
More information about the wp-trac
mailing list